MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70a1293f9401485295f29c408954fff91895e3659daf15554f0d36acf01bb04d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 19

Intelligence 19 IOCs YARA 18 File information Comments

SHA256 hash:	70a1293f9401485295f29c408954fff91895e3659daf15554f0d36acf01bb04d
SHA3-384 hash:	a00308a33290a7cd5d0fa1d36661f2dffa5384d4624158ec3a1dc0f1483e5031bddedb15209a34c3d08a92e0c3a7aa27
SHA1 hash:	7b781110d6903fde85d8dd3e025630b21b8140a0
MD5 hash:	1d12c0766770f321924f8ef114a28b76
humanhash:	fix-hydrogen-lima-solar
File name:	Payment Confirmation.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	948'736 bytes
First seen:	2025-02-26 11:46:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	24576:dMRHPv6tkV7LzHDLdRnprnAaZ0bVDpZtF:dMZqaV7HDLdTbAaGbDF
Threatray	3'481 similar samples on MalwareBazaar
TLSH	T14D15F3832A2DA6B6DE78673D40058CE591F01D5C6188B6A257F8BE3EF57C0215E0FE1E
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
File icon (PE):
dhash icon	68c6a6ce96a28acc (28 x AgentTesla, 5 x SnakeKeylogger, 1 x KeyBase)
Reporter	adrian__luca
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

410

Origin country :

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

70a1293f9401485295f29c408954fff91895e3659daf15554f0d36acf01bb04d

Verdict:

Malicious activity

Analysis date:

2025-02-21 01:58:17 UTC

Tags:

evasion stealer netreactor agenttesla

Link:

https://app.any.run/tasks/84b561bb-e9c5-4f0a-864c-8365914e43d8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Malware.Noon-9829285-0

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67beffcba0fd713c335cedc9

Tags:

virus msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Using the Windows Management Instrumentation requests

Adding an exclusion to Microsoft Defender

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

keylogger masquerade obfuscated obfuscated packed packed packer_detected quasarrat

Link:

https://www.filescan.io/uploads/67beff463afc3763bec7acca/reports/5ad1bfc2-0145-4ce4-b90b-a53314582990/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/70a1293f9401485295f29c408954fff91895e3659daf15554f0d36acf01bb04d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e2e91fa6-209a-4284-9a5c-7a233127970a

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1624642

Signature

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Scheduled temp file as task from temp location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/70a1293f9401485295f29c408954fff91895e3659daf15554f0d36acf01bb04d

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/70a1293f9401485295f29c408954fff91895e3659daf15554f0d36acf01bb04d/

Threat name:

ByteCode-MSIL.Trojan.QuasarRAT

Status:

Malicious

First seen:

2025-02-18 14:26:28 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ocqssp4uafefffpstraisvh77emjly3ftwxrkvkpbu3kz4a3wbgq._file

Verdict:

malicious

Label(s):

unknown_loader_037

captiveaaloader

agenttesla

AgentTesla

458e5bd8e3508c15449bfd4c9931a59cd2a6a95ed9e6bb5b0090aa6641a29c77

AgentTesla

859aca5e05f5d22ce981a423c3aea5a26e7bbf3d6f4925cd790793167d0ae715

AgentTesla

a46460f8d8d27ef7561eec3297790812f7b6187ee066ee2ffbe3cd60c2fd5ffe

AgentTesla

efb67364fa543ceddc607094c10c4b71f3baac1f45de5c2c759c489f97a64ec2

AgentTesla

error

AgentTesla

+ 3'471 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/250226-nxyhaaythw/

Verdict:

Malicious

Tags:

Win.Malware.Noon-9829285-0 external_ip_lookup

YARA:

n/a

Link:

https://app.threat.zone/submission/38bbfa8b-c8da-47e3-b3a7-0bf236bc3044

Unpacked files

SH256 hash:

70a1293f9401485295f29c408954fff91895e3659daf15554f0d36acf01bb04d

MD5 hash:

1d12c0766770f321924f8ef114a28b76

SHA1 hash:

7b781110d6903fde85d8dd3e025630b21b8140a0

Link:

https://www.unpac.me/results/b76db641-a2d4-4328-aba9-8ffff7402fbc/

SH256 hash:

5adff9ae840c6c245c0a194088a785d78d91fe734ee46a7d51605c1f64f6dadd

MD5 hash:

e7cb657dfaec55d61ab84188a1a7070c

SHA1 hash:

53ce251ffd8111a5fd17da0aa3d1469deb94cc2d

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/b76db641-a2d4-4328-aba9-8ffff7402fbc/

Parent samples :

787748d37a912d90bb9e5d124c35305118c11aa25501aecee3f939fcd4efed8f
3a3ab32e4de2e4d9b2548961a5af1841fb8ea6e8b661679e6fcb963df324d7e9
d0a427ef5fa5496840ff480c1ba3f2b4a533d516f6fff8b012e131a4d5f6ddc6
0478f76edf55a95129c2dc410864c96e662827e14cda5d63f31456bb66122e42
faa8850d8a28a308c917200981a80bcc481cb089f804f6867a4608a28bf0b2b5
6c9bfc38f2dd0b8e0ff1ae18e0286fd13cc7f27dfadace3a6663ae53ef3c1ed0
ff040c7bf107a9f1287d37bf802069204275ae3e00df7ea4ac0afc8ac41a7af2
926223176c531972a352050b1fe4dc3a2ddc829c3a5ed15dc7fd27905bfbd1e9
e5f7e2beb3d5e6e5beff31347898bcf5124c432b325775a63863b465b2d1f766
c77f55a3137035638939de24d529042f2b234cb72d079737901be9967d74ad08
f5c2ca5c0224f07b3379faeb4d38d468e3266a939731a540700265568c5ee5a6
40808e79d55a9b69542b9c5204fe4e1ed52c75dfdd86a328461754bbfa8ab4b7
a4f1adf9b786fe5e0f9fc1242b00214ec6532f42e75c4d828d368ac1ef7c91da
cc90da2474f808f86cc1b0653b830630f43518e2e798eba2167b52eb4976faa9
009176f8fe52515f6230b0716f1c6fbed3036b6efc285a4a219260814e739e7c
f5416d2c5f567506a87fd4be6b16ff2f5aac8f0176ba08fd57be4580c28e3ff8
45e3b1735df7c76cac0c02dab2bd084220687e4d9786ea6a32e8bca70dc1a4cd
83c356a66a5fca0dcab9029d90a62358cd17822d0d5bfd745a54e3208bf55bca
3e6ec372972312319cb1a060b9fdd000d3ae6c00eedbd0c9599eb43ae2bcd822
f5147495983f1e0eb0d595bcced8d5fceedfef286909fe6f213760c0742493ac
b604d14fff0103500662f72e757d3c0d6138b9715d752ea68096ce75d0da18d6
77598e60e221cf8ad7c6b1a9f1644a06bf336aa69d86739299f4ffb83f844d32
8ec59075771e7d96b57ca7ff32316e03164dd34f1f72d2e033e795d8449af826
027704a79bc8bc9533c0d2d20c15ff824be56a280512e2305ac66dea22e91f70
57356dbebce9198acc6eb6c6d00d66e6bc1ed21a99988fc3bb473f83f5e8f939
287de19d6a0d64d959d34892c6992c6417aa4b4ebe6b3aeced33522a3d15638a
9ca8a8277296e09fa04ce5393ba39a917d69029dfc2a88b3a6a66e3576b5334f
aac33041fefe8ce37a64b94c622ee3c8c5c3e19018f09df1421f8b7f4e5bffc6
a7dcfd4b6de3f06fdfd1a77b23a4ac800db43cfc3772cd6f202f761d2fee1f96
11d67ce2068437cce35f0b601119ebd071921f536daa8a5afff7c4d03ff1a4bc
33b37dc7c77eeab90f5e561dbf89b3e2967b6477e9071d4ee35c09d4354067ae
84bcffa814dc707ae3f97445f3eb61f7ad8afd890c1cd257bae9db4b2de62982
6d27a676ed779a7ebcd1f6f9dd001af1e2ae84fa98a18ec61709bc79878976e9
02ec52f30f2125a25e1b45c2ad3f35a6601a11f1076d2cee29e6beabba3a655a
b7676b450924ebcad663577093f84f96d1228f4bf9e3808e127e1b2a16a70933
081ac62c1a586905a31013cde41b73255650a037652c9eafcc58b801d1853c1c
d1bcf8347e8ae64035086a221d42e0460b49c52d47fdb3dbbdaf94513e9b3271
aba0672f82dcf1487d5b7b5647291ee0974e962018425dbc48ee10438fd6cf07
9b0ca796af0910c7fc67d8c81a0a4f061c53278bfef5a568d6101c2c1eb8af23
f944ca1d7c21680cbe1f62c78655862863170c51861ea0d930e7ed9b22ebc7b2
be8ae15279781ab2ac7f6985d5d611d6533fdeb2be8d783eebccc28e38ab256d
a1e04def7fd209402cfc002db03fb18c9d8694d6707b4201cbaec8ce3303ff53
16ac39458488454a5d43d2f0d250fe014bf22ab1542ee6cbd10c6f69ab8d91d8
347515299470b63f35aa85a7d38f215520456ba07dd7cb43609197d070381b63
ae1a70825040f157d78228d5668ffa7f2759fdf83293e35c351e5b4e8d035c4f
da5672185bdcb791e426127091bc7da56812d6c6cba9fc6aca754e43b59834db
d4e7b1bcebd9b9150dc206559b929744b9b592d3d62baa7902f3979b60336177
b6d1bbc15f5ae144e4801f8188cbe4768f3ba42e2c4dd56f42a7fa5ec9638460
511058d592e007c9fa589f9a703d385c39b7744e9d10bf94ee5ffe8cc5b6dc34
ae88fec8df2e320104325abf884d96a5a5248b174cb42351fe46bb2f43c99ecc
0166d72b8690a6a6982062474e31e4564a737268d61dec45e8edb759536dd963
33a9199e6a15c0cca7a30439f71a166f9b475a0ce4d1ca548845ec8c49f5fd2d
4aee0546da115d551dd0bbaf2c59f17fde0005196484a6a8b6ebdaf0b2dea1b9
ffcdb62a0cc1adb7700c13310a3234fa7b25d0981a97ad089a7433c60e7f5188
5ae6da4b081c085b0fb204312664df1ad1c293e8b2bd59456c4038bba13ef95b
8d8bb9cc17e7e3bfda2630a37f1b8866fed36b43765ef579977684c7fcc6ee7b
0ac64e3c4051edae7fb30c1381b4406e4e79663e313b4dc0b6af84a460e011b0
ce00a14a2991483cdce0604f80100ca50e70073c171e053057b20d336a71966e
2ac5abf0ad9fd254de8135b4313aa1d06a4fdae68bd44db6891fdb3130e124e0
5f80dbe0b909aa3bbf9fa7f841ddcad1687efdaaf31b7523dda11ab6c8a97d94
538a9c0bb4dd4231c1787b894df3322333bd06d98b115b4cc30720e6b7260921
74eaa1d454050b2d1fbea9d50b8bb5c9cfe9c60e79fbdf9018ab37c8349d5955
5a2a58a5c9a50cda175b03b68636c5f68d7dcc73eb19311ceb2940dddc97654e
f332c9615a0633c97e162e3a76c4c75d3a9c64492a3656d0c6d3f06f89383928
055fc07fef20e60123cd7d9760cffff1cfceac4a752a91b810bb708da88b4316
f9925fbe9ba09a653092fabbcf4b097e46651f500ae7cfaf1f68515168b333c5
58c1bb1c19cd551261465044f769a313549a574a345a2754414e48f8fc08bcbf
9ff30e39c38ae46ea0f2ab5017fc68e32580aa9a8d7a237f98ecd5c3d8fefc34
5f1cae07f4460a2eaf90b0363c946e6a4e3af969064fa1cdfb87a3ace03bdfb0
ea3d846cce6aa910a7ff04f5908946c735f94c41576c4cf44ced9c6304491861
dcb42b8ad4e7cc40fe12cfef0f5b97fba6073716a6315784ed6dd8847a51e86d
edcd9db80fa6bb9d601b9827fd5e745b8b0c6057a34b02584ded808f2ede0a48
4af2c738b8b2cc2a5ffdc33dea46b4e82582d32c95af28456127991bb1b50e09
af991ddeba10d3b5f7d23603c840755386967bcb17175e3ff91dd52da78375b4
de54e5225a9f063cfed9c337da862e02590c3007a23dfbaccbc6365b60d27d3d
1696a69754bd81946fa83afad98de0bab251f1334beaef777aba712e9eddb143
0d30580a153ea3c6f4f23970f0ed810824fbd67a98f02b076db6c01db6af6c62
bb69c9e4dc8bbcb1e7c4d7fe8bcc86c87cdb4af34212b992a5ac82ca8e92782d
1eda4ab84c92facd24c30b894a114994122cab19f4fa0f9368fa147dbfc032f9
c7504e19276343cc24118b10ed938822f791425e06c4e1865101c5446eaea08d
3c00e14ee895971b1e91ad04aebc4970b9526b79ee8413c900acbb9b4ae702b8
a69b613b4c99988b72e10c917489d5a7006b53abc75f7706b578e8b27f3252ab
50e7be9654710bc245e54d71c9992052af681f9f7002bda7232474cc7eefcfcd
b00f2a45170a731d423dd77ccad80fdaaab538d52d4f938ad53eca799eba2b23
c11538b1d7c0d04e036eb09f26e4c59576a79b97fc420bb996c617c392bb8aee
aff2d8ebd4a9c0218b8df1314b12fd2dec7706b7f1cea2029c663c53e52ff187
b6e1a7be0cd6d15ce7ba0bc79da9b8f280ab0060bc7754ba3df84555fc28b0db
724bfa1f9bf8b08699e2cb9a8c6fc0a13da0d863ece815e6b9664aab67c3b61e
2c1df05dfc658609d528cc769dbcb60191e7893fac4b46823d69843f6c7ded71
405fe1e5e2f1e04c918ccad650f5f8c035058f182c8388bb755241dd91589bbf
7d358d9073726daef4a05cef7e9a6138aca76ecc4f679d15b4c98c8e23d2e763
2ed7941c78a8b93373502b3b638392b1981785718e31bbbcca4f251d6b21f535
fb98e235d9cd58d96ab4d3389fdacfff82beda19357f313fabd95729bc984ee1
e44b986da4c6d454e98db437793fa0efb393e329b6667291656224a61f4892c5
c95de6e5963a1f5a56a8c768e69b59217aceb0c725760b29054d4bc68c75ea7e
0b757a7d353142364276c6bea7225a9cf67f81206ce9fc8f9291ab4dc911a481
b69b9806518246a9db6ae7d892b6d20b3b2c3381851def105fc5bcb049e717fb
7c0fba40b02bce96b799951c2e559ff3e78ddb5ef096f13483ee206e33f6ad45
ca24c73a0f1820042d015e2d96c97c08a37cda6cda766e609f9e33970f269fee
0297c69a6525dcc36009ebcf3df69478f22e99d788dd81b1a26728c7acb663e9
76ec6af0a17474fbe15708cfbaf20c8a7ccfd68043e539e4ea38f24f34b8dbd8
3f21cc31c22b4ad07980033f0d016966da2743d9f65dc5bc592c46c2e028a074
05d3f3857ab465a1886005e6d6138c84b8c19447b71d1781e8169e48c371c0a3
30437c6991871291a51ae849894d48d0179bc459db221e48d1c4a5bb1cd522c6
b50e43fcbcbb576fcdaa25d54b1c245eb4896659a1418b0c7a2b517f016ee3c7
7453e2691add44d3d800249e0b5b37ab5f1e598b8e2917f8e0b0cebdde109179
eff4be0205784bb6386855f54630e170d8915e387d5a8f9d3b10174d7cc6f47d
fab2b2eddd748ae7fcbc5a1d0c2e0a7f9c75214a114d9450ca41c85ea9e71a09
730f10ea6f19f62c826e980760a20ded9eccbf13c5595ecfcf989722dabb4b27
3fdfd6e43f7328a408c2c5f27faf60cbf213f595c21cfd5b2fdd54170fcd2036
078263b898d23617f9d122ed659a6262ec0e90f284e429af3d08ef6da5d31b47
04b3e24898ad118dfee0013ae96979d83d0dc99c3497fd123b09d3cbf9180cbb
1b7695c083699fbd1a0f577d68a54a9619981a35dc3234b9298538e2021e3a7a
1fa99b813d2291896dd8a8d468345657d677a49b02b70d7c9f60e668aad2cc67
7b9c9e71110c3980f1803a7438f507eadea9b078e59a61d551e21e1cae8ad5e5
87dc8dea6c3860531876193b34e58dcc590cf646bd863e52430baee19b2271a3
72ef04b633c90ce77442104498f7b667e6bcf0deee9c837beb54d8d3bb3503e0
782cf5337d8a428867a0ab13d474628b427dbb1164d4449f7e8dc96bdab3c7b1
da551ab6e000732499227a67f2be68d1256b58d95963a903cc316e2730db9d1e
b6383a5fe17a23dce23e59aee55a9d304e60b25cc7cefe9d97e7703b0886c1bf
7b1d37ad80336e2eda4720deb2dd61b353c9ea2071f9cc2564b4fe28d2ca775c
6e3a3e33b2e7792291afadfd45153795c642eecf859eb01911943cd57a55e478
8bf01e5c0e48ae7f101d2e955f9829fa545449488b22d5bc1d02fc56545cb27e
39bfc41b1b43a5319ca1c0b1df4906b2ff41c120223f372e85a696432667fd93
572ee11cb26d0952d901bc35f226d46264264f01afa9cc1491745400f5e5f360
70a1293f9401485295f29c408954fff91895e3659daf15554f0d36acf01bb04d
73894e9dabbea10e1befbf6d68c03b45dd45e8170cc9cac9a2fa420585010ce0
d003d51384319fc697de30896a9c38c3363e352de173406f78f29410ca3282a4
1fd19f607089ebe45a528376af9057185444bb15a2f1307eca732674d3c39cd3
511af3c08bd8c093029bf2926b0a1e6c8263ceba3885e3fec9b59b28cd79075d
6506e06b9b96e41137ca0ff6be68c11c31804d350277ef345454459d4c2228bf
6b0bef0d0996bc1eed9dd88ee0f01478b1e5d01b016c03b6f18edc6225a72a6e
cef5d5a46f1f6207c526fbe6e55d370b3bf2543bb7cf53750002933881c89b19
920e4d99f8843d65a8339655a864bc81e03366e974a9f3329d860d515b60a0e1
08a38569c56df9d4889cfac468996617a68a149f8ddff7bad16e6609e7c5571c
e87a5cb662913f9eb7a91ba0879b534da9069f26e3176d9418b16b39eef6f9fc
30a2111fc32aa43eb5e19bbe6a17b4653387dc46c7b4c90f2b735fd1e58a05a9
0e96337c9c239e6151b82cd4caca508f1235787b14024e22f75606901016b232
a0ff35101d202ae3367837980c58ebbc2238ddbed52a614b73fee68bccdb7ad1
9b730e4e913091b07a3ac73db0b0bc8424fe5f005aa6ebdc7218287949ca1524
ddd294075c549d450ca2980348b9aa282fbc1cdc1f032b62f12f991365412fa5
8e000211c865431b51b1e3733e0bc6d7efcfb8a3d45631cb10f0d7813b0b2e59
be959c5af412cea0ace74075b381c4a2328160b92cdde26a4dd8739a437be30e
fa5584ac7257747136c877bd58182430e2d23d5c6b4eff9ab240fcaefe526ee5
e2981af6ab5e2643908ddd54773bcb6235122cf6d1d1a77a876edfea51ee4d63
a433c4a4a88ea7ade87bf36dd4ef522a8c6f13619f2ebf2bedbec029d59bb134
a7550382a1454c2310dd59d031924e796feb64e71ddaa26e16c36f30ba3d3197
9b7fee62771dd489a06bd73844e56c4335034872b8d0286cc456ca6077b0e149

SH256 hash:

cb4952b33305e97d86f398405b0bcd4bb59f61bfa16bf4f27be8a8dc2584208c

MD5 hash:

375a7c8575a28440c4e4f0b72df2f759

SHA1 hash:

960eb458a3e68b9388bafe727e6365527e20d841

Detections:

win_agent_tesla_g2

AgentTesla

INDICATOR_EXE_Packed_GEN01

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Agenttesla_type2

Link:

https://www.unpac.me/results/b76db641-a2d4-4328-aba9-8ffff7402fbc/

Parent samples :

29f2f8293c3b8868dd9f057b6b7ec1a898c1e57205be359afafa433cd9cd7bb3
1c92d3868a5a6d2f87a8c0308ff37d329911dd4c43b5fbd654a69773ca6fbbbc
c2de6c81a5bc4a97ac8e34adb89a14885bfc91bc284550221d865f335f575214
d7e484c20f0341e35945ad2a6f803fcd0829a68b7dedf05430c0be06d5392ed5
d7531e4728438f15714cd44a6ed353d5117b4a3b6db1ece8b945ca8eb0b1408d
d1248b99698d1efcfddacc89384b3df62e8dce35251d7a96dbb13cd31b30f853
30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f
b2d9f8edf1b8ab56a07620a6dd37944c423604ea5e25d97de57d03f5412b9906
6443b593fc020a993974a850a6609c498398ac6d8368607dd2bc1ad1d785f38b
b3ac3ae44c087c5dc5d42c5ea8531e82f47cc6740da571a7c60624dfdb436469
0c33297e293bffec0a5728c9553044a89b5b4ef7389b2a45fb460dbc0fdf838a
5eecdaf0426291c6db36cc79cba590e61248a5364197d82228da2074a7fa3bba
57b6b7a5011b1e0d3b8a43da9c78528e3a133cd20f5f9cf72c6359dab423693a
e28f384946d7a17d59de700e40186725163b534eab150d6be5327187e7f83a28
dd566ea9737c75cf44885c842a944952d23abc1fb315867b4f07c3b8f37ce01b
9451626c4ac447e1f325611381448ee5fc8224945bda86cf32ce94306c3cd9ec
104fa5737e0c2aafa7558bd7bd6080cf54ac125b4337f4e0515e41d9e1370a04
cd583aa76a762a640be309b14234e47081d254d416b0567afb293f219428ce46
ec4ae5d1e86adee06c295ad77006d3328d144aad4fa2d0dd4fb7fa1380e21406
cb4952b33305e97d86f398405b0bcd4bb59f61bfa16bf4f27be8a8dc2584208c
22a01767b082d5ef80c5f191c653f73fc7d4f9d2742229580fd928a9a867a4df
7fce3e76c6fced8598769e97c7cf34eaa6e86949bf61b75526fb3b489f6d81f7
15299cddb4e03bc2bbc2e2c057c1abf3ab063a5839e7fc933939797aa5c38fb5
b4930dde2fc721a3d6648831dd4fe2ebd5085e0218864eb48e68e54a69d7cd41
86b3feb69665d03eaf1b1a3fc4dcf8221443f9c75458f34aea20d72d05c16cfc
8e29aa00863b1746ba25132f7ecb7bcb869d3a7e647dc8d6d3255491c5ac5212
3d1e16dec7f88b3ccdf7197c64a6eea6a7d3599c12f34893d60012ffd61f15ce
d5d6f7922d87a58322e5d4ace6819497d0942b3b22dc10c52f5a37cad8e42793
07c65671acce67cfa5a214ce2285563f6b3eaeadd5afbcd21bcaa42a536f7ba6
67f4b6cba186520b5247fa0ec23e129dd20c51640662108c2b9db61cf968f17d
2da496c1cdddd81ca1e452eacc38596132cb62883d8b568ee55e2524a054facd
9c7df3a3e8174fcad51ce98aa8875fd72b8e7acadb309ad8b6ac59e8a0c1d65d
39454a1ce8c389d837bb510efe44858712813fd3ef611822af3a1e5b0f64f52a
001c5c64500979a3b3c0251a7e94292dd1a188638bc7aeb0168e9578c53eaaef
019c0bda2cdb00d88ddd70fae9c57490c14b218aa3c2e9f383f75fa415c03168
0787749d9897612314975e2943139157efcff4dbf604323d3d950c76b7555719
5da381b368562b2c5d9fce29e229c640ea428b3d4519562613f987235bc611b8
c6ca7a0c812b140b8d3e1f7ceb12f0efe6bc0f564c6312814bc9dba1255e8788
b46e55db0693853f1f96a8ba2baad879f4e700db1c976a4041427ed221538922
81313224ee12f9a06f36e6f47f95f01b1bc30e94bf9c576f3c476b3633a0302b
d2200969f527ad8529714c8fdd97ae9646eaa76c702dfcd71dd2ad7e84898cdf
914ca6ae22e3e4d3b6e4fe8442dc7e176037ce54e98dfdec5510a179f4ef3c75
d4a4e4c891bacb6ffa8884695d7d757d8dbbae18ec64370bac3f6ecc024ea334
3b593da5f678af89946aebb762ab465c627a4dea6942b1a134a22536fb9ec7b6
5fd1a09cf8cee6f5529209307343ce46ab95e96b7fe6151d57e4f2d225827b3d
207836d40a534374a426bfb3eda7d988a77b2d8312b122644be1ff6659ecb59d
76930f5752402bbffccf8edeb6b07cd1ccf925c8c34853650e367cb2e0bc3e8a
7f26fab81265bdcc5ee00766756159b473e5350f77e13cddfb28b3af9480d19e
a46460f8d8d27ef7561eec3297790812f7b6187ee066ee2ffbe3cd60c2fd5ffe
e7d6f8ffb410620820c565a54f6360ad432593cb99705ab5d408e7e53c8f19ab
70a1293f9401485295f29c408954fff91895e3659daf15554f0d36acf01bb04d
e87a5cb662913f9eb7a91ba0879b534da9069f26e3176d9418b16b39eef6f9fc
af65f2da3fd19510fafbeeff3fdf3531db13eef1cf40f6bcf6580f76c8abf3e4
276ee9ca37adcf31809cad29a26c112e623e8b0d9444334247139a63563ba268
4587101c910c2af014b4f604c0ba76717c1c8b3f360ce0a191e81158b691f6cc
27bd5e4723cf6f83c2f4a5669ed07025c8c7925ee09b59861c6ec6009615e28d
97f4735ea0610794bdbb279c3d8fab019be4552788b76ea8ffcc4a53f7d731fe
db9075f1eadd4b7dfbc145d16f17c50ec345e99d3b5e3b7593f86e5b8532b4c5
8c3a603f6409c75df6f65da000fb6370e8a95da1572507a6f812d06f219c89b3
d11a5704f52bcddd56abfc1533daf7d30bc6b98ee89d81e7534f1be1343c9a6d
1de9012faa32acb0bd829ee77afa29ea04798a14152e2a624f03b08992922bea
77625c8d0612143544ef6bf2907b6f30fd4be765bdd955004885b29f388fb17d
1d1753775e003c95edf26e2938b3f7b9411c0791a5a65c77f662264e6a554156
d695f1fe44dd596d3132f964c43d9729a7df5bdcea72c504db47a41c6a648164
74b30b12fca88b189c0aec3f5af5dabb8f496811036bc4c1601b2fe49fdd96e4
f140450118202ed165b49c1a623d7e64ecf9b147254359255a734d849b9cb5d5
e71dcdd820367c9cb0b261d69c2bf74bd0d889823b75e92bc5752042a0712dd7
3d2bd0f41f351103caa9c7f99aad63c41884c7d408fba0a9c5eed5af9f5014db
c27773f8b51094bb8518e9b7e896be05144fd7f66e8b7352b974e7f42b6abc98
49a677d5dc211d01e7860854330875894852c15b14e79c19719ca47094962b77
2175bfc02e12d0136d4cdfa370226d8917b46132cbb007b04e1b79dec177b7c5
8f2d4544422f6870cebdfed81c4d0ca7db176e34166306f0fec4e4d509b773cc
750b354b873770c3702def2ba20335091b10e73f2e19e0d9f6c2164d836cf1f0
0c84b7722d83c5eba4829bcc7849e6f791fdca8a8a2c41148b2ff6ccd68e52a1
6f4245e6fc909528580e36c0ac716d6e8b19df8f6ce43bd93f526f282f3e86ec
059e6f46dc494f497e19284906976773271e9118bb7749f1aaa6cbbf4e337d39
9f178274219fc99efcbca3c85ea794c9b7a4ace49176a83a884a54794e8a1ee2
f7121d16f7c5e546edc168027fdcbeee4698b1038b035003002cee8a295468ad
2b3b53a5156b258cbe1babe783c03f3b3733c1b51a45fc6b23d84f4a84b50b84
e12f9f6dd4d092492c0d9e422da3123d88ed33ebdbb77706454e0a4a534aff5e
4b493efbc51d8cc77f3fe9e2b96070d5b9e1641a00a3f265cdb60209993fa515
6a58063fd4bfe4c9fd2bb7b17216fe3353a358a404d8b162d8b6f2a9bfc7b625

SH256 hash:

e740dc82680f39ed3ac5a44461df43a9588d1d815ee655dec09a5d2676bfc51d

MD5 hash:

d928765ce35f4948590529fa3805e4f0

SHA1 hash:

a2d762e5742da23970f3e40b5d811019765402ad

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/b76db641-a2d4-4328-aba9-8ffff7402fbc/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/70a1293f9401/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/70a1293f9401485295f29c408954fff91895e3659daf15554f0d36acf01bb04d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	AgentTeslaV5 Create hunting rule
Author:	ClaudioWayne
Description:	AgentTeslaV5 infostealer payload

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	INDICATOR_EXE_Packed_GEN01 Create hunting rule
Author:	ditekSHen
Description:	Detect packed .NET executables. Mostly AgentTeslaV4.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many file transfer clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing Windows vault credential objects. Observed in infostealers

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	Windows_Generic_Threat_9f4a80b2 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_AgentTesla_ebf431a8 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 70a1293f9401485295f29c408954fff91895e3659daf15554f0d36acf01bb04d

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample